The Office of Personnel Management is hit with another lawsuit against it for the cybersecurity breach it suffered in June.
Edward Krippendorf — a former Defense Department employee — filed a class action complaint against OPM and Keypoint Systems — the contractor directly involved in the security clearance system at the time of the hack — after having his personal information compromised.
In the lawsuit, Krippendorf alleges that despite knowing about cybersecurity flaws in its network, “OPM failed to take steps to remedy those deficiencies.”
Krippendorf also claims OPM violated the Privacy Act by ignoring recommendations for security upgrades from the Inspector General since 2007.
The lawsuit cites multiple issues in a November 2014 audit that “could potentially have national security implications” such as OPM’s decentralized governance structure, remote access sessions that don’t terminate after periods of inactivity and failure to monitor software.
While the lawsuit doesn’t call for specific types of compensation such as money, it does ask for “appropriate relief, including actual and statutory damages,” and “declaratory relief” like Social Security cards and passports reissued to the plaintiffs for free.
Krippendorf’s lawsuit is the third OPM faces in the aftermath of the breach.
The American Federation of Government Employees, the largest union representing federal employees, filed a class action lawsuit on June 29 against OPM and Keypoint Systems, along with then-OPM Director Katherine Archuleta and chief information officer Donna Seymour.
The National Treasury Employees Union announced in July it also was filing a class action complaint against Archuleta.
NTEU’s suit claims OPM failed to safeguard information and ensure agency officials took steps to reduce the risk of unauthorized access use under the Federal Information Security Management Act.